The vulnerability that wasn't in the book

At 04:06 on 19 August 2024, the wind on Bayesian's beam went from manageable to more than 70 knots in seconds. The awning over the flying bridge tore from port to starboard. The yacht heeled to 90° — mast in the water — in less than fifteen seconds, the generators cut out, and emergency lighting came on. There was no flooding inside the hull until water came over the starboard rails and poured down the stairwells. Guests used furniture drawers as a ladder to climb out of their cabin. Seven people did not get out: six guests and one crew member.

It is tempting to read that timeline and reach for the crew. They had a gale warning. They had thunderstorms in sight. The skipper had left orders to be woken above 20 knots. The boat was already dragging its anchor and listing before the fatal gust. From the outside, this looks like a case about people who did not move fast enough.

That reading is exactly the trap this series exists to expose. Because underneath the timeline sits a condition that no one on board could have managed, for the simplest possible reason: it was not in the book.

Bayesian's Stability Information Booklet was approved in 2008 by the UK Maritime and Coastguard Agency against the Large Commercial Yacht Code. That booklet did contain the right kind of safeguard: curves of maximum steady heel angle to prevent downflooding in squalls — precisely the guidance a crew needs to know how hard a sudden gust they can take before water starts entering the vessel. But those curves existed only for the sailing conditions, with the centreboard lowered and sails set.

On the night she sank, Bayesian was not sailing. She was at anchor in motoring condition: centreboard raised, no sails. For that condition — the condition she was actually in — the approved booklet contained no anti-squall curve at all.

After the loss, the MAIB commissioned the University of Southampton's Wolfson Unit to rebuild the stability model. In the sailing conditions, the booklet's documented angle of vanishing stability ranged from 84.3° to 92.3°. In the motoring condition, the Wolfson Unit calculated it at 70.6°. The same study found that the 72-metre mast alone accounted for half the vessel's wind-heeling moment on the beam, and that on the beam a gusting wind above 63.4 knots would likely capsize the yacht regardless of any sheltering effects between the rigging elements.

Most investigation effort goes into one question: was the procedure followed? It is the wrong first question, because it assumes the procedure — or the limit, or the case, or the certificate — described the situation the work was actually in.

Every safety-critical document carries an implicit scope: the set of operating conditions it was validated for. A basis of safety is written for a defined process envelope. A safe operating limit is set for an assumed configuration. A stability case is approved for specific loaded conditions. Outside that validated set, the document is not wrong — it is silent. And silence reads, to everyone working under it, as permission.

This is not a maritime curiosity. The US Chemical Safety Board's public incident reports repeatedly describe releases that occurred in operating states — a non-routine wash, an isolation that was assumed rather than verified, a configuration outside the assessed case — for which the governing hazard assessment had concluded the risk was low or simply had not looked. The mechanism is identical: an approved document, a real-world condition outside its validated scope, and a workforce treating "approved" as "safe in all states."

Across processing sites I have investigated in West Africa, the same pattern recurs. A HAZOP clears a unit for steady-state running and for a defined start-up sequence. The release comes during a partial restart after a trip — a condition that occurs dozens of times a year in operations but appears nowhere in the study. The operators were following the procedure. There was no procedure for the state they were in. The investigation that blamed "operator error" closed in three weeks. The condition that produced the event was never written down, so it produced the next one too.

There are, in effect, two investigations of Bayesian running in parallel, and they are converging on opposite answers. Working to its statutory no-blame mandate, the MAIB surfaces a latent condition — an undocumented stability vulnerability in the operating state, amplified by mast windage and a design permitted to fall below the usual stability range. The Italian prosecutor's office, working to a liability mandate, has been reported as locating responsibility in the crew's actions and their reading of the weather.

"The sole objective of a safety investigation shall be the prevention of future accidents. It shall not be the purpose to determine liability nor to apportion blame."

Same vessel. Same timeline. Same seven deaths. Two findings — because each investigation is built to find a different kind of thing. A no-blame safety investigation is engineered to surface the conditions of the system. A liability investigation is engineered to surface the acts of individuals. Neither is lying. But only one of them prevents the next loss, and it is not the one that ends at a person.

You do not need a wreck to find your silent states. Run this on any safety-critical document governing live operations — a basis of safety, a stability case, a safe operating limit, a permit envelope, a critical procedure.

1. Enumerate the real operating states — List every condition the asset is actually run in, including the non-routine ones: start-up, restart-after-trip, partial load, maintenance mode, degraded configuration. Get this from operators, not from the document.
2. Map each state to the document — For every state on your list, locate where the document explicitly characterises the failure mode and the safe envelope for that state.
3. Mark the silent states — Any operating condition that exists in operations but is not explicitly covered in the document is a silent state — an un-assessed hazard, not a low one.
4. Treat silence as a finding — A silent state carries no evidence of safety. Until it is characterised, it is managed as an open major-accident hazard, with interim controls — not as routine.
5. Re-test after every change — Every modification, re-rate or new operating mode creates new states. Management of change that does not re-run steps 1–4 simply manufactures fresh silent states.

Applied to Bayesian, the audit catches it at step 1: the motoring-at-anchor condition is a real operating state; at step 2 there is no anti-squall curve for it; at step 3 it is marked silent; at step 4 it is treated as an un-assessed capsize hazard requiring an interim limit. None of that needs hindsight. It needs the discipline to ask the book about the conditions the asset is actually in.

The most dangerous latent condition in your operation is not the one you assessed and got wrong. It is the one your approved documentation never described — because no one knew to ask, so no one was ever warned. The investigator's first move is to find the conditions the approval never covered, and to treat that silence as the hazard it is.

""Approved" is a statement about a set of conditions, not about reality."